Bug 32675

Summary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) -apache-sshd
Product: Mageia Reporter: Marja Van Waes <marja11>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: NEW --- QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, lewyssmith, mageia, mageia, marja11, nicolas.salguero, pkg-bugs, security, yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: apache-sshd-2.8.0-1.mga9 CVE: CVE-2023-48795
Status comment:
Bug Depends on:    
Bug Blocks: 32641    

Description Marja Van Waes 2023-12-31 18:26:51 CET 
+++ This bug was initially created as a clone of Bug #32641 +++

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2023/12/18/3
https://www.openwall.com/lists/oss-security/2023/12/19/5
https://www.openwall.com/lists/oss-security/2023/12/20/3

Many SSH implementations that are packaged in Mageia are affected:
<snip>
  - apache-sshd

https://github.com/apache/mina-sshd/issues/445 about Terrapin is still open now.
Marja Van Waes 2023-12-31 18:27:22 CET

Whiteboard: (none) => MGA9TOO

Marja Van Waes 2024-01-02 11:59:48 CET

CVE: (none) => CVE-2023-48795

Nicolas Salguero 2024-01-19 16:12:02 CET

Blocks: (none) => 32748

Nicolas Salguero 2024-01-19 16:16:44 CET

Blocks: 32748 => (none)

papoteur 2024-02-15 20:57:21 CET

CC: (none) => mageia

Comment 1 Marc Krämer 2024-02-17 10:24:19 CET 
@papoteur: how can I help?